Shulou(Shulou.com)05/31 Report--

This article mainly explains the "javascript application case analysis", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "javascript application case analysis" bar!

Recursive mode + confusion + simple flattening

First of all, there are obfuscation tools on the market that can achieve this effect. I have also written an obfuscation tool based on ast, which has gone too far. Let's take a look at it. It reads strings in an array way, when searching for source code.

We found his initialization location.

Because he parses this array dynamically, we just need to get the members of his array and put it in it.

In fact, I see here is very confused, this string did not add a password, naked ah.

And then we manually assign the string array, and then we copy this js to the confusion restore tool I wrote to take a look.

No pressure, instantly restore, the tool automatically calculates scope replacement. Then we paste it into notepad to have a look.

If you look at it from this point of view, basically everything is out, everything is ready for debugging, and we replace the original js. How to replace it is to copy the ret = eval analyzed yesterday (pseudocode directly copies this to it, which is also convenient for debugging. After the refresh, debugger, we forgot to deal with it, just skipped it, and then we saw this.

Then, in the spirit of the test, I refreshed it seven or eight times and found a problem.

I saved this page with js and didn't pull the latest one from the server, but it still works, because it has two places. Let's try this one.

If the js is fixed and the normal encryption is not fixed, it will be a big head, because this is an encrypted string. No matter what it is, we will decrypt it later.

Now we can regularly debug his first layer of decrypted js, because everyone knows that his url is hook, that is, business and anti-crawling are separate, so we don't need to refresh the page to let him go to the breakpoint, we can do this.

We simulate one of his interfaces on the console and enter the car.

The request has been successful. let's see the part he submitted.

It is explained here that it is an arbitrary url, because it is the api of hook ajax, and it can be url-free. We can use xhr breakpoints.

Click on the plus sign and we set it up to request that the url containing the specified string will be broken.

$.get ("/ tmrpToken.token")

Then enter the console.

Broken at the place where the url was actually submitted, we saw that he was this.send.

We see that his this is the XMLHttpRequest object, and we see that his url has been completely calculated.

Looking along the stack, we first look at send, click in, and we lower the breakpoint here, because his variables and so on are calculated according to the scope. If it is complicated, it is better to calculate from scratch, and the upper variables may overlap.

Let's make a good breakpoint. We'll resubmit it again.

On the second submission, we can see that it is very clean. We press f10 step by step.

When we get to this business, we find that url has appeared.

It is very clear that he is in 231. Let's look up.

He will have it after the execution of this function. Let's go in and have a look at the breakpoint under this function.

We f10 step by step to find that he is directly the last, and then go into this function to continue _ $7e

Pass in three parameters

Continue to take one step

Another _ $p5, continue

Or the three parameters are the same, and then there is a Function. Let's dig it out and take a look.

New a function and then pass in three parameters, or these three parameters

Generate a parameter one call parameter two methods, pass in parameter three, let's take a look at these three parameters

We can just do this.

Print out the location. We double-click in.

After the breakpoint goes in, we'll see.

There's nothing wrong with this function. Keep going.

This._$oM = arguments [1] = _ $ok (arguments [1]) [0]

It's hidden deep.

Let's follow this function.

Then we step by step to find that he walked here and got the result. Let's take a look at the parameters of its wear.

Let's just think that parameter 2 is useful, let's take a look at what comes from parameter 2.

Parameter 2, let's look at his parameters.

Var _ $S2 = _ $HW (_ $59 (_ $qt ("/ tmrpToken.token")

Let's see.

_ $qt

The rest of the code, no matter what function it is, will be deducted directly at that time. We will only analyze it.

So far we have seen that _ $HW,_$59,_$6p these three are used for encryption. As for the internal logic, let's just test whether it can be encrypted or not.

Take him out alone and write an encryption function.

Function url_encry (_ $di) {var _ $S2 = hm._$HW (hm._$59 (encodeURIComponent ("/ tmrpToken.token")); return hm._$6p (769,0, _ $S2, _ $di);}

Thank you for your reading, the above is the content of "javascript Application case Analysis". After the study of this article, I believe you have a deeper understanding of the problem of javascript application case analysis, and the specific use situation still needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.